[0001] The present invention refers to methods, apparatuses and systems for providing security
mechanisms for a computer system, in particular to an embedded system within a network
of industrial devices.
[0002] In modern technical production or automation systems, industrial end devices are
digitally connected and communicating over a network. For example, in automotive systems,
devices are used for control of the motor system, the window movement and respective
motors, the media system and/or a system for aggregating diagnostic data for the purpose
of technical diagnosis. Each device may comprise its own computer system with a dedicated
function within a larger mechanical and/or electrical system. The digital computer-based
system (e.g. microprocessor, microcontroller with additional peripherals, including
but not limited to RAM, persistent storage and interface controllers) may thus be
embedded as part of a complete device often including hardware and mechanical parts
(like for example factory controllers, controllers in automation systems or for use
in avionics). The processor(s) may be used for a variety of specialized computations,
or may even be custom designed for the application at hand. Common applications in
the industrial context can include digital signal processing, machine learning, computer
vision, real-time control or applications for monitoring manufacturing processes.
[0003] For all the different kinds of processes to be executed on the device, different
security domains can be defined. A security domain defines which operations a process
running in the security domain is able to execute. As a result, the process will be
restricted to a certain known-good behavior. Should such a process try to exhibit
unintended behavior, e.g. induced through malicious means by an attacker, it will
be prohibited from doing so due to the restrictions imposed by the security domain
it is running in.
[0004] The devices, known in the art, are typically manufactured and equipped with a mandatory
access control (MAC) mechanism, that can be used to define and enforce security domains
for processes running on the device. MAC refers to a type of access control by which
the operating system constrains the ability of an application, process or thread to
access or generally perform some sort of operation on a resource or target, like e.g.
a file, directory, TCP/UDP port, shared memory segment, IO devices, etc. The processes
and resources each have a set of security attributes. Whenever a process attempts
to access a file or other resource, an authorization rule enforced by the operating
system kernel examines these security attributes and decides whether the access can
take place. Any operation by any process on any object is tested against the set of
authorization rules, defined in a MAC policy, to determine if the operation is allowed.
[0005] With mandatory access control, this security policy is centrally controlled (for
example by a central administrator) and users and processes do not have the ability
to override the policy, either accidentally or intentionally, and, for example, cannot
grant access to files that would otherwise be restricted. By contrast, discretionary
access control (DAC), which also governs the ability of subjects to access objects
on a more coarse-grained level, allows users the ability to make policy decisions
and/or assign security attributes.
[0006] MAC mechanisms are commonly used in operating systems, like e.g. Linux with a human
administrator who is responsible for defining the MAC policy.
[0007] However, industrial devices or devices for "Industry 4.0 systems", digital systems
or industrial Internet systems, which are used in the field, have to be operated autonomously,
i.e. without a human administrator.
[0008] For these devices, however, there is a need, to define the MAC policy flexibly and
to adapt the MAC policy settings even after commissioning or start-up of the device
during its operation.
[0009] From the state of the art the following documents are known: document
US 8,531,247 B2, document
US 8,892,616 B2, document
US 8,300,811 B2, document
US 9,147,088 B2, document
US 9584311 B2, document
EP 2976707 B1, document
EP 2 605 445 B1, document
EP 2 870 565 A1, document
EP 2 891 102 A1, document
WO 2017137256 A1, document
EP 2870565 B1, document
EP 3028140 B1, document
EP 17175275 and document
US 8 843 761 B2.
[0010] Therefore, it is an object of the present invention to improve the security settings
for an industrial device. In particular, the security settings should be flexibly
amendable without re-boot of the device, without having to update the entire device
firmware and without human interaction.
[0011] This object is achieved by a method, system, a device, and a computer program according
to the pending independent claims. Advantageous features and embodiments are mentioned
in the dependent claims and in the description.
[0012] According to a first aspect, the invention relates to a method for adapting or updating
a mandatory access control (in the following also abbreviated as MAC) policy for processes,
which may run in different security domains on an industrial device within a network
of devices. Typically, a set of different processes are executed on the device in
different security categories or security domains. The method comprises the following
steps:
- Providing at least one policy administration point (in the following abbreviated as
PAP) locally on the industrial device, whereas each PAP is associated to at least
one of the security domains which it can administer;
- Providing an adapted or updated MAC policy to the PAP (for example in a table-formatted
data structure);
- Checking integrity and authenticity of the received adapted MAC policy and in case
of validation:
- Instructing the industrial device to automatically implement the adapted MAC policy.
[0013] One core idea of the invention is to extend and improve the mandatory security settings
of an autonomous device during operation in the field without reboot of the device.
The security settings should be amendable autonomously in response to detected conditions.
The conditions to be detected and considered are pre-configurable and may for example
relate to a state of the device, to operating conditions, to sensor data, to a context
(for example a runtime environment condition).
[0014] According to a preferred embodiment, at least one PAP is provided or allocated for
and thus responsible for one security domain (for selected processes on the device).
Thus, each of the devices is equipped with at least one PAP. This improves flexibility
of the method. It is possible to provide a 1-to-n-relation for PAP and security domain.
Thus, one single PAP may be responsible for at least one and also for more than one
security domain. However, it has to be assured that not more than one single PAP is
responsible for one dedicated security domain. Responsibility for a security domain
entails that only the responsible PAP is able to modify the managed security domain(s)
and no others. This ensures that if a malicious party is in control of a PAP, that
it cannot modify the security domains managed by other PAPs on the device.
[0015] According to another preferred embodiment, a master PAP is provided for all PAPs,
wherein the master PAP instructs all PAPs specifically and in a dedicated manner with
its corresponding adapted MAC policy, wherein the master PAP is responsible for checking
integrity and authenticity of the received adapted MAC policy centrally and commonly
for all PAPs. This aspect has the advantage, that complexity of the PAPs may be reduced
in that tasks and duties which need to be executed for all PAPs may only be executed
once in the master PAP and need not to be carried out redundantly on each of the PAPs.
[0016] According to another preferred embodiment, a state of the device (e.g. operating
mode of the device, end of boot mode, service mode) is detected automatically and
in response to the detected state, the MAC policy is determined or updated and activated
automatically. This has the advantage that automation of a MAC policy adaption may
be improved. For example, a particular operating phase of the device (which may be
pre-configured in a preparation phase) may be detected (e.g. a boot phase or a self-test
phase) and in response to the detected phase, the actualization of the MAC policy
may be triggered. In another embodiment, sensors are provided in the device or in
the system, external to the device for providing sensor data. Sensor data may e.g.
relate to a failure of a component or to detecting a compromising state.
[0017] According to another preferred embodiment, the adapted MAC policy is provided by
receiving the same from a device external network entity, for example a security server.
This aspect makes it possible to centrally administer all the devices with either
a common MAC or device-specific MAC policy.
[0018] According to another preferred embodiment, the adapted MAC policy is provided by
automatically analyzing the application to be executed on the device or the process
respectively. The analysis aims at extracting security rules from the application
binary file, based on an application / process analysis mechanism, which is executed
locally on the device. Preferably, the process analysis mechanism (i.e. the mechanism
for analyzing the application) is executed after an application update has been loaded
on the device or after installation of a new application on the device. This helps
to further improve automation of the MAC policy adjustment on the devices.
[0019] According to another preferred embodiment, the process analysis mechanism analyzes
the process with respect to its interfaces and parameterizes a pre-configurable template
for determining the MAC policy automatically. The template is provided on the PAP.
During runtime, the PAP may execute the analysis mechanism in order to parameterize
the pre-configured template. The PAP or a subcomponent thereof extracts the rules
of the application or application update. For example, it is analyzed which input/output
interfaces the application accesses or it is analyzed whether the application manipulates
or addresses real time control functions. The policy rules of the application may
be defined by using dependencies or an if-then-structure (e.g. "access to USB interface,
if available"). Further, the PAP may automatically fill the template on the basis
of the extracted abstract rules and definitions of the application. Metadata may be
detected (e.g. source or manufacturer of the application/update) and may be used by
the PAP to further deduce security settings and for automatically adapting or extending
the MAC policy.
[0020] According to another preferred embodiment, the method comprises to automatically
detect a deletion or de-installation of an (application) process on the device and
based thereon the corresponding adaptations of the MAC policy, which have been implemented,
entered or activated in response to installation of the process, are automatically
removed again. This makes it possible to restore a prior security setting, which was
valid prior to installation of the new application. Thus, changes to the MAC policy
may be reversed again. In case an application is no longer active on the device, this
system state is detected automatically and the MAC policy is amended in response thereof.
[0021] According to another preferred embodiment, the MAC policy may control access to shared
processes (or resources), i.e. to processes which are shared between (cooperating)
devices. In this case, a decision with respect to the adaption of the MAC policy has
to be verified and validated by all cooperating devices. Only in case a verification
signal for adaption of the MAC policy is received from all cooperating devices, the
MAC policy may be changed.
[0022] In some embodiments it is possible that the device communicates with a central unit,
for example for service requests or for authorizations. In these cases, it is possible
to attach the adapted MAC policy rules to the communication data packets, which are
exchanged with the central unit (e.g. in software defined networks (SDN) or in sliced
virtual logical network systems, Slice/VLN systems). Upon authorization to use a service
in a virtual network, the central unit that is in charge of managing the virtual networks
can therefore also provide a device with an adapted MAC policy, using dedicated messages.
The adapted MAC policy may contain rules that allow certain processes on the device
to communicate with services in the network. Access to services in the network can
therefore be adapted on a fine-grained process-level, in addition to a device-level.
[0023] In embodiments which refer to internet of things networks, several devices of different
kind are connected. In this setting, resources (for example services provided by a
device in the network that can perform certain production steps) may be shared between
different devices. In such embodiments, the adaption of a MAC policy may require a
verification signal from all cooperating devices or a set of privileged cooperating
devices. In a virtual logical network (VLN) a device in a first step may only access
a default network. Only after receiving consent in form of a verification signal from
all cooperating devices, the device is allowed to access the "real" VLN in a second
step, and thus services offered by other devices in the network. In addition, access
to certain VLNs can be controlled using a MAC policy on a device. Processes on the
device can therefore be allowed to communicate with other VLN participants by adapting
the MAC policy accordingly, based on decisions by other participants of the network.
This feature has the advantage to implement majority decisions for the adaption of
a MAC policy.
[0024] According to another preferred embodiment, the method for adapting the MAC policy
is executed automatically after connecting to the network and in particular within
the context of a network endpoint assessment (NEA). The NEA reference model provides
owners of networks a mechanism to evaluate the posture of a system. An overview on
network endpoint assessment is given in Internet standard RFC5209. The protocol to
distribute the security posture information is specified in RFC 5793. Also, Trusted
Network Communications (TNC) as specified by the Trusted Computing Group (TCG) can
be used to provide an information on the security state of a network endpoint. Note
that the TCG IF-TNCCS 2.0 protocol is equivalent to the IETF "Posture Broker (PB)
Protocol Compatible with Trusted Network Connect" (PB-TNC) defined by RFC 5793. This
assures that the operating system and the installed applications and processes on
the respective device are conforming with the MAC policy. As a result, a list with
installed applications which are in conformity with the MAC policy (inventory list)
may be provided. This result may be provided to a PAP for further processing on the
device.
[0025] The adapted MAC policy may be signed or may be secured using a cryptographic method.
This enhances security in that the integrity and authenticity of the adapted MAC policy
can be verified, and that unintended or intended changes can be detected.
[0026] In another aspect the invention refers to a system for adapting a MAC policy for
processes, running in different security domains on an industrial network device,
wherein each of the industrial network devices comprises at least one policy administration
point (PAP), in which an adapted MAC policy is provided, and wherein the system further
comprises a validation module, which is adapted to check integrity and authenticity
of the received adapted MAC policy and which is further adapted to instruct the industrial
network device to automatically implement the adapted MAC policy in case of validation.
[0027] In a preferred embodiment, the system further comprises a master policy administration
point, wherein each of the policy administration points is subordinated communicating
with the master policy administration point, wherein the master policy administration
point comprises the validation module for checking integrity and authenticity for
all PAPs.
[0028] In another aspect the invention refers to an industrial network device with a policy
administration point in which an adapted MAC policy is provided for adapting a MAC
policy for processes, running in different security domains of the industrial network
device for use in a system according to any of the preceding system claims.
[0029] In another aspect the invention refers to a computer program with program code for
executing a method according to any of the preceding method claims, if the computer
program is executed on an industrial network device.
[0030] In the following a short definition of terms is given.
[0031] The term MAC policy refers to a mandatory access control policy. It relates to a
set of security rules for accessing resources on the device. The set of security rules
precisely defines which security domain has access to a resource on the device, in
particular to a process running on the device or to data, and the extent of access
once the resource is accessed. The MAC policy cannot be changed with user interaction.
So, a MAC policy is enforced independently from user-defined permissions. The Trusted
Computer System Evaluation Criteria (TCSEC) defined MAC as "a means of restricting
access to objects based on the sensitivity (as represented by a label) of the information
contained in the objects and the formal authorization (i.e., clearance) of subjects
to access information of such sensitivity". The MAC policy is typically enforced by
the operating system (OS) kernel. Linux-based systems may serve as operating systems.
Commonly, it has been designed to be a fixed, unchangeable policy. In some implementations,
it can be modified only by specially trusted processes on the device, running in a
security domain with corresponding access rights to alter the policy. Note that mandatory
access control can also be called mandatory integrity control.
[0032] The industrial device may be an embedded system, an industrial control device, a
control computing entity and/or a control unit in different types of systems, such
as a railway monitoring device, a device controlling part of a manufacturing process,
a robot and/or a network switch. The network switch may in particular be part of a
software defined network (SDN). The device may be an SDN controller, a mobile base
station or an access point in a wireless network, like a WLAN access point.
[0033] The industrial device (in short: device) is part of a network and may cooperate with
other devices. The device may be an embedded system, an internet of things device
or a device in the context of "Industry 4.0 systems", digital systems or Industrial
Internet systems. Further, the device may be or may be part of a cyber-physical system,
or a device within a cloud computing or cognitive computing system. The devices are
connected via a network. The network may be a physical, a virtual and/or a logical
network.
[0034] A process is to be understood as a process running on the device. It may be an application,
providing a particular functionality, for example monitoring and controlling certain
input and output signals in an embedded system.
[0035] A policy administration point (in short PAP) is a reliable process which is provided
locally on the device. A device can contain multiple PAPs. The PAP executes a MAC
policy management function. The PAP may be provided as service for the device. The
PAP serves to exclusively administer one or more associated security domains of the
MAC policy in dependence of or in response to different pre-configurable trigger events.
A PAP will only be able to alter the security domains that are allocated to it. In
addition, no two PAPs on a device should be able to alter the same domain. This confines
the extent of a compromised PAP to only those security domains that are allocated
to it. The trigger events may refer to the detection of a new installation of a process
or an updated installation of an installed process on the device or to the detection
of a status or configuration change of the device (e.g. boot mode - operating mode)
or to detection of a new or renewed connection to a network. If required, a PAP can
verify the integrity and authenticity of an adapted MAC policy, either by itself or
using a verification service provided by a dedicated process on the device, depending
on the implementation.
[0036] The PAP is communicating with device external network nodes to receive an adapted
MAC policy. The adapted MAC policy may be provided in one of several embodiments of
a dedicated MAC policy data structure. The adapted rules can, for example, be provided
through additional policy source files that amend or replace policy source files in
the format of the respective MAC technology. The adapted MAC policy may also be transmitted
in an abstracted or metadata format, e.g. using a (set of) JSON-file(s), from which
the PAP can derive rules that conform to the format and semantics of the respective
MAC technology. The MAC policy data structure may be included in a digitally signed
download archive of an app download file.
[0037] A security domain is a set of rules and settings relating to security of the device.
In the context of this application, a security domain is a logical grouping of rules
in a MAC policy. The entirety of security domain rules therefore defines the MAC policy.
A process is allocated to a security domain when it is started. As a result, a process
will be constrained to the privileges defined by the rules in the security domain
definition. In an example embodiment, there may exist three different categories of
security domains: a first with a low level, a second with a medium level and a third
with a high security level. Processes may run in different security domains. For example,
a process running in a security domain with a high security level may only be allowed
access to one certain resource on the device, while processes running in a security
domain with a low security level will be allowed access to a larger set of resources.
[0038] Checking for integrity and authenticity of the data (received adapted or updated
MAC policy) refers to security checking. Integrity is about making sure that the data
has not been altered from some "reference version", e.g. from the origin or source
of the MAC policy provider. Authenticity is a special case of integrity, where the
"reference version" is defined as "whatever it was when it was under control of a
specific entity". Authentication is about making sure that a given entity (with whom
you are interacting) is who you believe it to be. The checking may be executed by
verifying a cryptographic signature of data, that was signed using either a shared
secret key (for example in a keyed-hash message authentication code, HMAC), or a private
key in an asymmetric signature scheme.
[0039] A master PAP is also a functional entity similar to the PAP but with an additional
functional entity for executing superordinated or higher level functions. The master
PAP is in data exchange with device external network nodes and entities. The master
PAP is adapted to execute all functions and methods which need to be executed on each
of the subordinated PAPs and which therefore may be executed centrally for all PAPs.
The functions comprise checking integrity, checking authenticity of data packets.
In other embodiments further central evaluations may be executed, like an analysis
whether the data packet has been received completely. Furthermore, the master PAP
can forward MAC policy adaptations required for specific domains to the respective
subordinate PAP. The master PAP may additionally derive concrete MAC policy adaptations
based on received policy metadata and/or other sources of information, such as a device-local
state, the applications currently running on the device, or the presence of a certain
physical interface.
[0040] According to an idea of the invention, trigger events are detected automatically
and locally on the device or in the network. In response to the detected content of
the trigger events, automatic adaption or update of the MAC policy is initiated. For
example, it may be checked, if a new application has been installed on the device.
In this case, a pre-definable rule set may be accessed, which defines, that in case
of a new application upload, the MAC policy adaption/update has to be initiated. Thus,
in this case, an instruction will be generated on the device to implement the adapted
MAC policy automatically. Another example relates to the system state or configuration.
If a boot mode is finalized and the device is operated in the normal operational mode,
a rule set may define, that this is also a trigger event for initiating a MAC policy
adaption (or update). Other trigger events relate to the involvement or embedding
of the device into the physical or logical network. For example, an adapted MAC policy
may be derived from the results of a network endpoint assessment (NEA) when the device
is connected to a network. This adapted MAC policy can then be supplied to the PAP(s)
on the device, which will subsequently implement the changes.
BRIEF DESCRIPTION OF THE DRAWINGS
[0041]
- Fig. 1
- shows a schematic representation of a device, which may be an embedded system device
in an overview manner.
- Fig. 2
- shows a more detailed schematic representation of a device according to a preferred
embodiment of the invention.
- Fig. 3
- represents another preferred embodiment of a structure of the device.
- Fig. 4
- represents a schematic representation of two possible embodiments for a PAP architecture.
- Fig. 5
- is another example embodiment for the PAP architecture.
- Fig. 6
- is a flow chart representing possible trigger events for executing automatic adaption
of the MAC policy.
DETAILED DESCRIPTION OF THE DRAWINGS
[0042] Figure 1 shows an overview of a device D for use in an embedded system. The device D may for
example be a control device for controlling an automation system. The device D comprises
a processor, for example in the form of a microprocessor or microcontroller for executing
specific functions which are implemented in an application or process P1, P2, P3,...Pn.
Each of the processes P runs in a dedicated MAC security domain SD. The security domain
is a set of rules for specifying which resources processes that are running in the
security domain are allowed to access. The domains are defined in the mandatory access
control policy (in short MAC policy). The device D comprises at least one policy administration
point PAP, which serves to administer and manage the domains defined in the MAC policy
for the processes P on the device D. Typically, one policy administration point PAP
may be responsible for and serve one or more security domains SD. However, the system
architecture excludes that more than one policy administration point PAP serve the
same security domain SD.
[0043] In the example embodiment shown in Fig. 1, security domain 1 serves processes P1
and P2 and PAP1 is allocated to this security domain 1. PAP2 is responsible for security
domain SD2 with process P3 and PAPn is allocated to security domain SD3 for processes
P4 and Pn. The device D is in data exchange with other network devices or network
elements NE and may receive an adapted MAC policy from a central entity.
[0044] Figure 2 shows a more detailed architecture of the device D with the policy administration
point PAP, which is in data exchange with the operating system kernel K, which receives
and enforces the MAC policy. The system kernel K is responsible for policy enforcement
on the device D. In a preferred embodiment, the operating system is a Linux-based
system. The device D further comprises a validation module VM. The validation module
may be adapted for checking integrity and authenticity of the exchanged data and in
particular of the adapted MAC policy. The adapted MAC policy 10 is received and provided
on the policy administration point PAP as shown in Fig. 2 with the arrow in downward
direction. In case of validation of the adapted MAC policy, provided on the policy
administration point PAP, the policy administration point PAP instructs the operating
system kernel K to implement the adapted MAC policy, for example via a dedicated operating
system instruction. In this embodiment, each of the policy administration point PAPs
is responsible for checking integrity and authenticity of the received adapted MAC
policy 10 by itself. This may lead to redundant processing for each of the policy
administration point PAPs on the device D.
[0045] Therefore, in another preferred embodiment, shown in
Figure 3 a master policy administration point mPAP is provided in addition to the set of PAPs
on each device D. The master policy administration point mPAP is adapted to receive
the adapted MAC policy 10 and to forward the same to the validation module VM, which
in this embodiment is located in the master policy administration point mPAP and centrally
services all the different PAPs of the device D. In this embodiment, the higher ranking
functions, comprising check of integrity and authenticity, and possibly modifying
the adapted policy rules or metadata based on device-specific characteristics, may
only be executed once for all associated PAPs. This serves to reduce processing resources.
[0046] Figure 4 relates to the trigger event 'connecting the device to the network' for adapting
the MAC policy automatically. A network endpoint assessment (NEA) is executed. The
NEA policy 20 may be provided to the MAC policy 10, which is to be provided on the
PAP or master policy administration point mPAP, depending on the embodiment. In Fig.
4 on the left side, the embodiment is shown with the group of PAPs which are provided
with the adapted MAC policy 10. On the right side and depicted with dotted lines the
embodiment is shown, where the device D additionally comprises a master policy administration
point mPAP, which will be provided with the adapted MAC policy 10. A NEA posture validation
point, i.e., a NEA server node that collects endpoint specific data 30 from multiple
endpoints, may be used for providing collected endpoint specific data 30, which will
be provided to the master policy administration point mPAP.
[0047] An example embodiment is explained below with respect to
Figure 5. A network element NE is in network connection with the devices D. The network is
a physical network, for example a wireless network (WLAN, etc.). Several instances
of the device D are depicted in Figure 5 for different security domains SD. On the
left, the device D is shown with its first security domain SD1 and with associated
PAP1; on the right, the device D is depicted with its second security domain SD2 and
with associated PAP2 and below third security domain SD3 with PAP3. Further, the device
D represented at the bottom comprises two different security domains SD1 and SD2 with
corresponding PAP1 and PAP2. The devices D are connected in the network NW and in
case of shared resources or processes, also majority decisions of the group of devices
are possible for validating the adapted MAC policy 10. Only if all the cooperating
devices transmit a validation signal for the adapted MAC policy, the same will be
implemented on the set of cooperating devices.
[0048] In a preferred embodiment a network endpoint assessment NEA is executed, as explained
above. The NEA data and/or the adapted MAC policy are provided to the policy administration
point PAP, master policy administration point mPAP and/or to the network element NE.
This should be represented in Fig. 5 with the dotted line and rectangle having the
reference numerals mPAP, 20, 10.
[0049] Figure 6 shows different possible scenarios for triggering events for initiating the instruction
of automatically implementing the adapted MAC policy in the device D. In step S11
a state of the device D is detected automatically. In step S12 a configuration state
or an operating mode (boot mode, functional operating mode, service mode) are detected.
In dependence of the signal received from the respective detectors, the device is
instructed to activate the received adapted MAC policy 10, e.g. by instructing the
policy administration point to send an implementation instruction to the processor
operating system kernel K of the device D in step S2. Another option is to detect
in step S14 whether a new application process P has been loaded onto the device D
or in step S13 an update of the application has been loaded. In either case, this
will be detected automatically by a sensor unit which will again transmit a respective
signal. In case the signal represents that a new application (update) has been loaded,
a rule database may be accessed so that it can be calculated that the adapted MAC
policy should be implemented in step S2. In this respect it has to be mentioned that
the rules database for the trigger event signals and their relation to the instruction
to implement the adapted MAC policy may be changed during runtime and even independently
of the MAC policy adaption process. This improves flexibility of the system. Another
option is to detect the network connection of the device D in conjunction with a network
endpoint assessment NEA. This may be achieved with an NEA module which serves as a
sensor to detect the attachment of a new device, providing information on network
connections and device configurations. The respective sensor signal (e.g. new network
connection established) is evaluated in relation to the rules database. An actualization
or update of the MAC policy is automatically instructed to be implemented in step
S2. That means that depending on the information provided by the NEA module, the MAC
policy is updated automatically according to the defined rules database.
[0050] While the current invention has been described in relation to its preferred embodiments,
it is to be understood that this description is for illustrative purposes only. For
example, the device D may be an embedded system or another technical apparatus in
an automation system, for example being administered by a network element. For the
person skilled in the art it is clear that the invention may also be used for devices
D communicating via different networks NW. For example, the network NW may be a wireless
network or a network based on TCP/IP. Accordingly, it is intended that the invention
be limited only by the scope of the claims appended hereto.
1. Method for adapting a MAC policy for processes (P), running in different security
domains (SD) on an industrial device (D) within a network (NW), comprising the following
steps:
- Providing a policy administration point (PAP) locally on the industrial device (D)
for at least one of the security domains (SD);
- Providing an adapted MAC policy (10) in the policy administration point (PAP);
- Checking integrity and authenticity of the adapted MAC policy (10) and in case of
validation:
- Instructing the industrial device (D) to implement the adapted MAC policy (10) automatically.
2. Method according to claim 1, wherein at least one policy administration point (PAP)
is allocated and responsible for at least one security domain (SD).
3. Method according to any of the preceding claims, wherein a master policy administration
point (mPAP) is provided for all policy administration points (PAP) on the device,
wherein the master policy administration point (mPAP) instructs all policy administration
points (PAP) specifically with its respectively adapted MAC policy (10), wherein the
master policy administration point (mPAP) is responsible for checking integrity and
authenticity of the received adapted MAC policy (10) for all policy administration
points.
4. Method according to any of the preceding claims, wherein a state of the device (D)
is detected automatically and based on the detected state, the adapted MAC policy
(10) is activated automatically.
5. Method according to any of the preceding claims, wherein the adapted MAC policy (10)
is provided by receiving the same from an external network entity.
6. Method according to any of the preceding claims, wherein the adapted MAC policy (10)
is provided by automatically analyzing the process for extracting security rules from
the process (P), based on a process analysis mechanism, which is executed locally
on the device (D).
7. Method according to the directly preceding claim, wherein the method is executed after
a process update has been loaded on the device (D) or after installation of a new
process on the device (D).
8. Method according to the directly preceding claim, wherein the process analysis mechanism
analyzes the process (P) with respect to its interfaces and parameterizes a pre-configurable
template for determining the adapted MAC policy (10) automatically.
9. Method according to any of the preceding claims, wherein the method comprises to detect
a deletion or de-installation of a process (P) on the device (D) and based thereon
the corresponding adaptions of the MAC policy, which have been implemented in response
to installation of the process (P), are automatically removed again.
10. Method according to any of the preceding claims, wherein the adapted MAC policy controls
access to shared processes (P), which are shared between cooperating devices (D) and
wherein a decision with respect to the adaption of the MAC policy has to be validated
by all cooperating devices (D).
11. Method according to any of the preceding claims, wherein the method for adapting the
MAC policy is executed automatically after connecting to a network endpoint assessment
(NEA).
12. System for adapting a MAC policy for processes, running in different security domains
(SD) on an industrial network device (D) of a plurality of industrial network devices,
wherein each of the industrial network devices (D) comprises a policy administration
point (PAP), in which an adapted MAC policy (10) is provided, and wherein the system
further comprises a validation module (VM), which is adapted to check integrity and
authenticity of the received adapted MAC policy (10) and which is further adapted
to instruct the industrial network device (D) to automatically implement the adapted
MAC policy (10) in case of validation.
13. System according to the directly preceding system claim, wherein the system further
comprises a master policy administration point (mPAP), wherein each of the policy
administration points (PAP) is subordinated communicating with the master policy administration
point (mPAP), wherein the master policy administration point (mPAP) comprises the
validation module (VM) for checking integrity and authenticity for all policy administration
points.
14. Industrial network device with a policy administration point (PAP) in which an adapted
MAC policy (10) is provided for adapting a MAC policy for processes (P), running in
different security domains (SD) of the industrial network device (D) for use in a
system according to any of the preceding system claims.
15. Computer program with program code for executing a method according to any of the
preceding method claims, if the computer program is executed on an industrial network
device (D).